Kubernetes provides the freedom to rapidly build and ship applications while dramatically minimizing deployment and service update cycles. However, the velocity of application deployment requires a new approach that involves integrating tools as early as possible in the deployment pipeline and inspecting the code and configuration against Kubernetes security best practices. Kubernetes has many security knobs that address various aspects required to harden the cluster and applications running inside.

Kubernetes is a container orchestration tool, but its functionality extends far beyond just orchestrating containers in a narrow sense. It offers a range of additional features that—to a limited extent—address needs such as load balancing, access control, security policy enforcement, and even logging and monitoring. Indeed, Kubernetes’s broad functionality has led some folks to call it an “operating system” in its own right.

Kubernetes gives organizations the ability to run Kubernetes clusters at scale across different cloud infrastructures and distributions. Unfortunately, this is where many of the challenges begin. As the number of clusters and workloads grow, they are being managed independently with very little consistency.

Compromising a pod in a Kubernetes cluster can have disastrous consequences on resources in an AWS Elastic Kubernetes Service (EKS) account if access to the Instance Metadata service is not explicitly blocked. The Instance Metadata service is an AWS API listening on a link-local IP address. Only accessible from EC2 instances, it enables the retrieval of metadata that is used to configure or manage an instance.

Amazon’s Bottlerocket is a new Linux-based open-source operating system that’s designed with containers in mind. Bottlerocket is optimized and stripped down to only the essential software needed to run containers. You can apply updates to Bottlerocket in a single step, and roll them back instantly if necessary. And, because it’s open-source, you can customize the operating system to fit your specific needs.

We are excited to partner with AWS in launching AWS Bottlerocket, a container optimized operating system. Bottlerocket gives DevOps teams speed, efficiency and security in containerized environments.

In surveys about why organizations adopt Kubernetes, a desire to reduce overall IT costs is an oft-cited reason for adopting containers and Kubernetes. Yet after the fact, when organizations talk about surprises during Kubernetes adoption, many cite increased costs. So does Kubernetes reduce costs or not? Like so many things in life, it depends. Here are some of the reasons Kubernetes projects come in over-budget and how to avoid them.

Sysdig is pleased to support AWS today in their GA launch of Bottlerocket, a special-purpose operating system designed for hosting Linux containers. Orchestrated container environments run potentially hundreds of compute nodes. Operating general-purpose Linux on container hosts introduces complexity for IT teams who must patch and update packages across their clusters. Worse, features and packages that are not necessary for running containers, introduce unnecessary security exposure.

Kubernetes is an open-source platform for container orchestration. You can use it to deploy a highly resilient, self-healing infrastructure using automation and infrastructure as code (IaC). Kubernetes includes features for zero downtime deployments, scaling, automatic rollout and rollback of updates, and service discovery. Kubernetes is designed to help you manage container deployments at scale via REST API.